'Schrems III' Data Transfer Challenge Likely, Privacy Activists Say
The European Commission is under pressure to approve EU-U.S. data flows but is likely to face another legal challenge, data protection advocates said on a Thursday European Parliament Greens/European Free Alliance panel. The EC reportedly expects to unveil a preliminary response next month to President Joe Biden's executive order (EO) initiating a EU-U.S. Data Privacy Framework (see 2210070069) for review by data protection authorities and politicians. The EO doesn't resolve the problems noted by the European Court of Justice (ECJ) in Schrems II, panelists said.
Max Schrems, who successfully challenged trans-Atlantic data transfer systems Safe Harbor and Privacy Shield, said he expects privacy watchdogs to be concerned about the EO. He said he's preparing to contest any EC adequacy decision in the European Court of Justice. One idea under consideration is to seek a civil injunction against a company, which he said would get the case to the ECJ quickly.
The EC will probably "make it work" because it's under such enormous pressure to do so, said Kristina Irion, associate professor at the University of Amsterdam Institute for Information Law. She urged the EU to try not to repeat history with another "half-baked adequacy decision."
What hasn't changed since Schrems II is that there are still concerns about the adequacy of privacy protections in U.S. surveillance law for non-U.S. persons abroad, said Electronic Privacy Information Center Deputy Director Caitriona Fitzgerald. EPIC believes the EO commitments aren't sufficient and protection should be enshrined in law, she said, including changes to Section 702 of the Foreign Intelligence Surveillance Act when it expires next year. The U.S. also needs a federal privacy law, she said.
One problem is that the EO isn't binding on third parties, only on the U.S. executive branch internally, panelists said. It also fails to place limits on the collection of personal data by U.S. intelligence services and doesn't address bulk collection, said Member of the European Parliament Patrick Breyer, of the Greens/EFA and Germany. The EO calls for proportionality in surveillance, but the word has different meanings for Europe and the U.S., Schrems said: That lack of a common understanding isn't likely to fly with the ECJ.
Lawmakers often hear that the general data protection regulation needs streamlining to help businesses, said MEP Gwendoline Delbos-Corfield, of the Greens/EFA and France. In the U.K., which is preparing to enact its own data protection law, that's the only thing Delbos-Corfield heard from government officials, she said. The business leaders she spoke with, however, said they don't want divergence from the GDPR because it adds complexity and because they recognize that enforcing fundamental rights isn't incompatible with business interests, she added.